orcaqubits/acp-setup
acp-agentic-commerce/skills/acp-setup/SKILL.md
Scaffold an ACP merchant server project — install dependencies, import OpenAPI specs and JSON schemas, configure environment, and create initial endpoint stubs. Use when starting a new ACP implementation from scratch.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins acp-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 6:37 AM149.4s1 file scanned
SKILL.md
- name:
- acp-setup
- description:
- Scaffold an ACP merchant server project — install dependencies, import OpenAPI specs and JSON schemas, configure environment, and create initial endpoint stubs. Use when starting a new ACP implementation from scratch.
- allowed-tools:
- Read, Write, Edit, Bash, Grep, Glob, WebSearch, WebFetch
- disable-model-invocation:
- true
ACP Project Setup
Before writing code
- Fetch the latest spec version: Web-search
site:github.com agentic-commerce-protocol CHANGELOGfor the current spec version - Fetch the OpenAPI specs: Fetch from
https://github.com/agentic-commerce-protocol/agentic-commerce-protocol/tree/main/spec— download the latest versioned checkout and delegate-payment OpenAPI YAML files - Fetch the get-started guide: Fetch
https://developers.openai.com/commerce/guides/get-started/for onboarding steps - Check for SDK packages: Search PyPI for
agentic-commerce-protocoland npm for ACP-related packages. Note: there is no official standalone SDK — most implementations use the OpenAPI spec directly or reference implementations like Medusa.js
What This Skill Does
Scaffolds a new ACP merchant server project:
- Detect language/framework — Python (FastAPI/Flask/Django), TypeScript (Express/Fastify/Medusa), Go, etc.
- Install dependencies — HTTP framework, JSON schema validation, HMAC library, UUID generation
- Import OpenAPI spec — Download the latest versioned spec from the GitHub repo
- Create configuration — Environment variables for API keys, webhook secrets, API version, PSP credentials
- Stub endpoints — Create route stubs for the 5 checkout operations + webhook receiver
- Set up middleware — Bearer token auth, idempotency key extraction, API version header validation, request logging
Configuration Essentials
These must be externalized (env vars or config file):
ACP_API_KEY— Bearer token for authenticationACP_API_VERSION— Spec version (YYYY-MM-DD format)ACP_WEBHOOK_SECRET— HMAC signing key for webhooksSTRIPE_API_KEY— If using Stripe as PSP for delegated paymentACP_MERCHANT_ID— Merchant identifier for SPT scoping
Project Structure Pattern
merchant-server/
├── config/ # Environment and settings
├── routes/
│ ├── checkout.py/ts # 5 checkout endpoints
│ ├── webhooks.py/ts # Webhook receiver
│ └── health.py/ts # Health check
├── middleware/
│ ├── auth.py/ts # Bearer token validation
│ ├── idempotency.py/ts # Idempotency key handling
│ └── versioning.py/ts # API-Version header validation
├── models/ # Data models from JSON schema
├── services/
│ ├── checkout.py/ts # Business logic
│ ├── payment.py/ts # PSP integration
│ └── inventory.py/ts # Stock management
├── schemas/ # OpenAPI + JSON schemas
└── tests/
Fetch the OpenAPI spec for exact endpoint paths, request/response shapes, and status codes before generating stubs.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026